From 5262eff022ea329698c2a8f8c070266f44efae47 Mon Sep 17 00:00:00 2001
From: Nelson Isioma <nelsonisioma1@gmail.com>
Date: Wed, 28 May 2025 23:59:43 +0100
Subject: [PATCH] feat: adding password expiry

---
 api/auth.go            | 12 +++++++++-
 api/client.go          | 29 +++++++++++++++++++-----
 api/password_expiry.go | 50 ++++++++++++++++++++++++++++++++++++++++++
 api/resources.go       | 11 ++++++++++
 4 files changed, 95 insertions(+), 7 deletions(-)
 create mode 100644 api/password_expiry.go

diff --git a/api/auth.go b/api/auth.go
index 19da61b..d3fb317 100644
--- a/api/auth.go
+++ b/api/auth.go
@@ -102,12 +102,22 @@ func (c *Client) Login(ctx context.Context) error {
 
 	c.userID = user.ID
 
+	settings, err := c.GetServerSettings(ctx)
+	if err != nil {
+		return fmt.Errorf("Getting Server Settings: %w", err)
+	}
+
 	// after Login, fetch MetadataTypeSettings to finish the Client Setup
-	c.setMetadataTypeSettings(ctx)
+	err = c.setMetadataTypeSettings(ctx, settings)
 	if err != nil {
 		return fmt.Errorf("Setup Metadata Type Settings: %w", err)
 	}
 
+	err = c.setPasswordExpirySettings(ctx, settings)
+	if err != nil {
+		return fmt.Errorf("Setup Password Expiry Settings: %w", err)
+	}
+
 	return nil
 }
 
diff --git a/api/client.go b/api/client.go
index 364ba75..a45f65c 100644
--- a/api/client.go
+++ b/api/client.go
@@ -36,6 +36,9 @@ type Client struct {
 	// Server Settings Determining which Metadata Keys to use
 	metadataKeySettings MetadataKeySettings
 
+	// Server Settings for password expiry
+	passwordExpirySettings PasswordExpirySettings
+
 	// used for solving MFA challenges. You can block this to for example wait for user input.
 	// You shouden't run any unrelated API Calls while you are in this callback.
 	// You need to Return the Cookie that Passbolt expects to verify you MFA, usually it is called passbolt_mfa
@@ -207,12 +210,7 @@ func (c *Client) GetPublicKey(ctx context.Context) (string, string, error) {
 }
 
 // setMetadataTypeSettings Gets and configures the Client to use the Types the Server wants us to use
-func (c *Client) setMetadataTypeSettings(ctx context.Context) error {
-	settings, err := c.GetServerSettings(ctx)
-	if err != nil {
-		return fmt.Errorf("Getting Server Settings: %w", err)
-	}
-
+func (c *Client) setMetadataTypeSettings(ctx context.Context, settings *ServerSettingsResponse) error {
 	if settings.Passbolt.IsPluginEnabled("metadata") {
 		c.log("Server has metadata plugin enabled, is v5 or Higher")
 		metadataTypeSettings, err := c.GetServerMetadataTypeSettings(ctx)
@@ -241,6 +239,25 @@ func (c *Client) setMetadataTypeSettings(ctx context.Context) error {
 	return nil
 }
 
+// setPasswordExpirySettings Gets and configures the Client to use the password expiry plugin
+func (c *Client) setPasswordExpirySettings(ctx context.Context, settings *ServerSettingsResponse) error {
+	if settings.Passbolt.IsPluginEnabled("passwordExpiry") && settings.Passbolt.IsPluginEnabled("passwordExpiryPolicies") {
+		c.log("Server has password expiry plugin enabled.")
+		passwordExpirySettings, err := c.GetServerPasswordExpirySettings(ctx)
+		if err != nil {
+			return fmt.Errorf("Getting Password Expiry Settings: %w", err)
+		}
+
+		c.log("passwordExpirySettings: %+v", passwordExpirySettings)
+		c.passwordExpirySettings = *passwordExpirySettings
+	} else {
+		c.log("Server has password expiry plugin disabled or not installed.")
+		c.passwordExpirySettings = getDefaultPasswordExpirySettings()
+	}
+
+	return nil
+}
+
 // GetPGPHandle Gets the Gopgenpgp Handler
 func (c *Client) GetPGPHandle() *crypto.PGPHandle {
 	return c.pgp
diff --git a/api/password_expiry.go b/api/password_expiry.go
new file mode 100644
index 0000000..b5c756d
--- /dev/null
+++ b/api/password_expiry.go
@@ -0,0 +1,50 @@
+package api
+
+import (
+	"context"
+	"encoding/json"
+	"time"
+)
+
+// PasswordExpirySettings contains the Password expiry settings
+type PasswordExpirySettings struct {
+	ID                       string    `json:"id"`
+	DefaultExpiryPeriod      int       `json:"default_expiry_period,omitempty"`
+	PolicyOverride           bool      `json:"policy_override"`
+	AutomaticExpiry          bool      `json:"automatic_expiry"`
+	AutomaticUpdate          bool      `json:"automatic_update"`
+	ExpiryNotificationPeriod int       `json:"expiry_notification_period,omitempty"`
+	Created                  time.Time `json:"created"`
+	Modified                 time.Time `json:"modified"`
+	CreatedBy                string    `json:"created_by"`
+	ModifiedBy               string    `json:"modified_by"`
+}
+
+// GetServerPasswordExpirySettings gets the servers password expiry settings
+func (c *Client) GetServerPasswordExpirySettings(ctx context.Context) (*PasswordExpirySettings, error) {
+	msg, err := c.DoCustomRequestV5(ctx, "GET", "/password-expiry/settings.json", nil, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	var passwordExpirySettings PasswordExpirySettings
+	err = json.Unmarshal(msg.Body, &passwordExpirySettings)
+	if err != nil {
+		return nil, err
+	}
+	return &passwordExpirySettings, nil
+}
+
+func getDefaultPasswordExpirySettings() PasswordExpirySettings {
+	return PasswordExpirySettings{
+		ID:                       "default",
+		DefaultExpiryPeriod:      0,
+		PolicyOverride:           false,
+		AutomaticExpiry:          false,
+		AutomaticUpdate:          false,
+		ExpiryNotificationPeriod: 0,
+		Created:                  time.Now(),
+		Modified:                 time.Now(),
+		CreatedBy:                "default",
+	}
+}
diff --git a/api/resources.go b/api/resources.go
index 2215686..3523cb8 100644
--- a/api/resources.go
+++ b/api/resources.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"time"
 )
 
 // Resource is a Resource.
@@ -35,6 +36,7 @@ type Resource struct {
 
 	Secrets []Secret `json:"secrets,omitempty"`
 	Tags    []Tag    `json:"tags,omitempty"`
+	Expired *Time    `json:"expired,omitempty"`
 }
 
 // Tag is a Passbolt Password Tag
@@ -85,6 +87,10 @@ func (c *Client) GetResources(ctx context.Context, opts *GetResourcesOptions) ([
 
 // CreateResource Creates a new Passbolt Resource
 func (c *Client) CreateResource(ctx context.Context, resource Resource) (*Resource, error) {
+	if c.passwordExpirySettings.DefaultExpiryPeriod != 0 {
+		expiry := time.Now().Add(time.Hour * 24 * time.Duration(c.passwordExpirySettings.DefaultExpiryPeriod))
+		resource.Expired = &Time{expiry}
+	}
 	msg, err := c.DoCustomRequest(ctx, "POST", "/resources.json", "v2", resource, nil)
 	if err != nil {
 		return nil, err
@@ -122,6 +128,11 @@ func (c *Client) UpdateResource(ctx context.Context, resourceID string, resource
 	if err != nil {
 		return nil, fmt.Errorf("Checking ID format: %w", err)
 	}
+
+	if resource.Expired != nil && c.passwordExpirySettings.AutomaticUpdate {
+		expiry := time.Now().Add(time.Hour * 24 * time.Duration(c.passwordExpirySettings.DefaultExpiryPeriod))
+		resource.Expired = &Time{expiry}
+	}
 	msg, err := c.DoCustomRequest(ctx, "PUT", "/resources/"+resourceID+".json", "v2", resource, nil)
 	if err != nil {
 		return nil, err